Client Alert: FDIC Publishes Conducting Business with ...

www.bfkn.com

Client Alert: FDIC Publishes ConductingBusiness with Banks: A Guide forFinTechs & Third Parties

Related Professionals

Joseph T. Ceithaml

Bill Fay

Robert M. Fleetwood

John E. Freechack

John M. Geiringer

Emily N. Henkel

Brent McCauley

Abdul R. Mitha

Stanley F. Orszula

Andrea L. Sill

Karol K. Sparks

Dennis R. Wendte

Related Practice Areas

Financial Institutions

FinTech

February 25, 2020 - Barack Ferrazzano Client AlertHighlights Issues to Consider When Working with a FinTech

Action Items

If your bank wishes to partner with a FinTech, consider the following

● Are you up to date on all of the recent regulatory developments related to FinTech activities?

● Have you performed adequate due diligence on the FinTech?

● Have you had potential agreements with FinTechs critically reviewed in light of the new guidelines?

● We are available to discuss any questions you may have as youconsider FinTech partnerships.

Conducting Business with Banks: A Guide for FinTechs & ThirdParties

On February 24, 2020, the FDIC published a new guide as part of itsFDiTech series titled Conducting Business with Banks: A Guide for FinTechsand Third Parties. A link to the guide can be found here: https://www.fdic.gov/fditech/guide.pdf

The guide discusses third party risk management with a focus on newtechnologies and partnering with FinTech entities. The principles in the guideare applicable to whether the bank is using a FinTech as a vendor or if abank is providing a service to a FinTech, such as Banking-as-a-Service

www.bfkn.com

("BaaS").

The principles in the guide are consistent with prior Barack Ferrazzano Client Alerts:

● Offering Banking-as-a-Service?

» https://www.bfkn.com/newsroom-publications-363

● New FDIC Guidance on Technology Service Provider (TSP) Contracts


● FinTech Regulatory Update - Bank & FinTech Agreements


● Working with a FinTech? – 5 Things to Know


● Client Alert Update: FinTech & Bank Partnerships

» https://www.bfkn.com/newsroom-publications-ca_201705_fintechbank

The FDIC’s advice is also consistent with prior OCC remarks discussing financial technologies and banks offeringnew products, a link to which can be found here: https://www.occ.treas.gov/news-issuances/news-releases/2017/nr-occ-2017-125.html

Although the FDIC is attempting to provide guidance to banks working with FinTechs, they are doing so within theexisting framework of risk management and vendor management principles. Specifically, the main takeaway fromthese new guidelines is the FDIC expects banks to apply careful due diligence and critical contract reviewwhen considering FinTech contracts. Even if your bank is not regulated by the FDIC, the principles embodied inthe guidelines provide an outline of the critical issues to consider when working with a FinTech.

We Can Help You

Barack Ferrazzano Financial Institutions Group attorneys are currently working on a wide range of partnerships,contracts, and related agreements between banks and FinTechs. Please contact us if you are interested in discussingany potential FinTech partnership or vendor opportunities.

Client Alert: FDIC Publishes Conducting Business with Banks: A Guide for FinTechs & ThirdParties

www.bfkn.com

Client Alert: Offering Banking-as-a-Service?


Joseph T. Ceithaml

Bill Fay

Robert M. Fleetwood

John E. Freechack

John M. Geiringer

Emily N. Henkel

Brent McCauley

Abdul R. Mitha

Stanley F. Orszula

Andrea L. Sill

Karol K. Sparks

Dennis R. Wendte



FinTech

January 9, 2020 - Barack Ferrazzano Client Alert10 Legal Considerations When Offering BaaS

Action Items

● Review our In-Depth: 10 Legal Considerations When OfferingBanking-as-a-Service ("BaaS").

● Board & Senior Management Education. Educate your Board andSenior Management about BaaS issues.

● Infrastructure & Operations. Evaluate your infrastructure, operations,Compliance Management System (“CMS”), and existing third-partyagreements.

● FinTech Due Diligence. Perform comprehensive due diligence onpotential FinTech BaaS clients.

● Continuous Evaluation. Continually evaluate your BaaS operations,regularly review and revise your program management agreement, andother third-party agreements. Prepare for your FinTech-relatedexamination and promptly address any issues.

What is "BaaS?"

BaaS allows banks to offer FinTechs and their customers access toregulated bank products — such as federally insured deposit accounts —and is transforming banking by allowing banks to serve and profit from thismarket. However, BaaS involves operational, reputational, and regulatoryrisk if not properly conducted.

www.bfkn.com

Rapidly evolving financial technology and regulatory attitudes are increasing the demand for banks to provide BaaSto FinTechs. BaaS is generally an end-to-end process that allows FinTechs to connect with banks’ systems, so theycan build banking offerings on top of the banks’ regulated infrastructure, and access federal deposit insurance. BaaSis an extension of open banking, in which a bank opens its application programming interface (“API”) to a third partyfor data or functionality access. BaaS can also increase a bank’s deposit base and non-interest income if donecorrectly.

Recently, FDIC Chair Jelena McWilliams commented about bank and FinTech partnerships at the Money 20/20Conference:

The last few years have shown that banks and FinTechs can not only coexist but coexist in a symbiotic union. Thereis an opportunity for FinTechs to provide something that the banks are unable to do in as agile and technologicallyadvanced [an] environment. There's an opportunity for banks to expand their offerings and customer base andservices through the FinTech.1

1 See https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/55258773

Top 10 Considerations

Here is an overview of our "10 Legal Considerations When Offering Banking-as-a-Service." Click here to review eachstep in more detail: https://www.bfkn.com/10-legal-considerations-when-offering-baas:

1. Board & Senior Management Education/Involvement

2. Bank Infrastructure

3. Policies & Procedures

4. Third-Party Relationships

5. FinTech Due Diligence

6. The Program Management Agreement

7. BSA/AML Expectations

8. Operational

9. FinTech Examinations

10. Exit Strategy

We Can Help You

Over the last few years, we have helped develop BaaS programs for our clients. Whether providing training to Boardsand employees, assisting with policies, procedures and program management agreements, interacting withregulators and the bank’s vendors, addressing practical concerns and advising about FinTech, we can help your banksuccessfully develop, manage and grow BaaS.


www.bfkn.com

Please contact us if you are considering offering BaaS, or if you want to discuss how to develop and leverage yourexisting BaaS relationships.


www.bfkn.com

Client Alert: New FDIC Guidance onTechnology Service Provider (TSP)Contracts


Matthew A. Bills

Nicholas M. Brenckman

Joseph T. Ceithaml

Bill Fay

Robert M. Fleetwood

John E. Freechack

John M. Geiringer

Katherine Fritzi Getz

Andrew J. Gordon

Emily N. Henkel

Alice Lin

Brent McCauley

Abdul R. Mitha

Stanley F. Orszula

Neil R. Patel

Andrea L. Sill

Karol K. Sparks

Dennis R. Wendte



April 24, 2019Proactive Risk Management is Key

Action Items

● Review your bank’s policies to ensure that relationships withTechnology Service Providers (“TSP”) are sufficiently vetted bymanagement and overseen by the board.

● Assess your bank’s existing TSP contracts to ensure compliancewith current TSP and third-party vendor management guidelines.

● For all potential TSP contracts and renewals of existing contracts,negotiate robust protections for the bank, especially in connectionwith business continuity and data security.

FDIC FIL-19-2019 – Technology Service Provider Contracts

The FDIC recently issued FIL-19-2019 regarding Technology ServiceProvider Contracts, which can be found at: https://www.fdic.gov/news/news/financial/2019/fil19019.html. The letter addresses deficiencies FDICexaminers found in many TSP contracts that, among other things,insufficiently addressed business continuity risks and data breach/cybersecurity incidents. We have observed the FDIC (and other bank regulators)raise these issues in recent exams. The topic is especially timely and criticalin light of the growth of FinTech relationships, which often contain a TSPelement.

www.bfkn.com

FinTechThe principles enunciated by the FDIC in FIL-19-2019 involve both thecontractual issues examiners identified and the necessity of proactive riskmanagement. Even if the FDIC is not your bank’s primary federal regulator,these principles are indicative of the evolving expectations in this area.

Contractual Inadequacies

The FDIC’s guidance focused on contractual inadequacies, including:

● Absence of a requirement for the vendor to maintain a businesscontinuity plan (with established recovery standards and definedremedies if standards are not met);

● Lack of defined procedures if a service disruption or security incidentoccurs; and

● Vague and unclear terms outlining the bank’s rights and the serviceprovider’s responsibilities in the event of a service disruption or securityincident.

Proactive Risk Management

A bank’s directors and senior management retain primary responsibility foroverseeing and managing the risks that accompany technology outsourcingrelationships. Accordingly, whether a TSP relationship is new or has been inplace for some time, Banks are encouraged to take the following measures:

● Ensure that TSP contracts adequately address business continuity andincident response risks;

● Assess gaps in existing agreements, including those arising from theabsence of clearly defined terms or specific requirements concerningbusiness continuity and incident response provisions, to avoid confusionin the future; and

● Implement compensating controls to mitigate any risks resulting fromgaps in contractual continuity and incident response provisions.

TSP contracts are frequently offered to banks with little time to properly vetthem from due diligence, regulatory, and legal standpoints. Don’t let thathappen. Your bank needs to follow best practices in managing TSPrelationships to ensure contractual protections and adequate risk oversightand compliance.

Client Alert: New FDIC Guidance on Technology Service Provider (TSP) Contracts

www.bfkn.com

We Can Help You

Please contact us to review your bank’s current and potential TSP contracts and if you are considering a new TSPrelationship, renewing an existing TSP contract, or if you want to discuss how to address an existing TSP relationshipin light of the FDIC’s guidance.

We have addressed trends in this area in recent Client Alerts regarding TSPs, third-party vendor management, andFinTech relationships:

● Client Alert: FinTech Regulatory Update – Bank & FinTech Agreements

» https://www.bfkn.com/fig_201903ca_fintech_regulatoryupdate

● Client Alert: Working with a FinTech? – 5 Things to Know

» https://www.bfkn.com/fig_201812ca_fintech

● Client Alert: Updated Regulatory Risk Management Guidance

» http://www.bfkn.com/fig_201711_occ_update

● FinTech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters




Client Alert: New FDIC Guidance on Technology Service Provider (TSP) Contracts

www.bfkn.com

Client Alert: FinTech Regulatory Update- Bank & FinTech Agreements


Nicholas M. Brenckman

Joseph T. Ceithaml

Bill Fay

Robert M. Fleetwood

John E. Freechack

John M. Geiringer


Andrew J. Gordon

Emily N. Henkel

Alice Lin

Brent McCauley

Abdul R. Mitha

Stanley F. Orszula

Neil R. Patel

Andrea L. Sill

Karol K. Sparks

Dennis R. Wendte



FinTech

April 3, 2019 - Barack Ferrazzano Client AlertA Discussion of Emerging Critical Issues

Action Items

Before entering into any FinTech agreements, your bank shouldconsider the following:

● The relationship with the FinTech

● Your own bank’s FinTech goals and strategy

● FinTech related laws and regulations

● Contact us to review and help develop any new, modified, orexpanded bank products or services to ensure they are compliant

Recently, Barack Ferrazzano Financial Institutions Group partner StanleyF. Orszula participated in a roundtable in Washington, D.C. with banks,FinTechs, regulators, and FinTech thought leaders and scholars that focusedon FinTech regulatory and compliance issues, especially with bankagreements. The critical emerging issues discussed that could potentiallyaffect banks were:

» Unsupervised machine learning and artificial intelligence creditscoring models ("AI Credit Models"); and

» Third party vendor risk management.

The latter topic has previously been addressed by the Financial InstitutionsGroup here:

www.bfkn.com

» Barack Ferrazzano FinTech News, Events, & Publications

AI Credit Models

Many FinTechs use proprietary AI Credit Models instead of FICO scores in their lending models. Unsupervised (byhumans) AI Credit Models can result in the FinTech platform discriminating against legal sensitivecharacteristics, which could potentially violate the Equal Credit Opportunity Act ("ECOA") and Regulation B("Reg B"). The problem is FinTechs keep their underlying AI Credit Models highly confidential and will not share thisinformation with their bank partners. Accordingly, a bank could inadvertently violate the ECOA and Reg B through aFinTech platform that has an opaque AI Credit Model. Consistent with our prior discussions on this topic, banks needto review this issue critically.

Third Party Vendor Risk Management

Third party vendor risk management is also a critical emerging issue we previously highlighted. Vendor managementis an especially critical area in FinTech because most banks will choose to work with a FinTech entity that owns,develops, and services the technology. The disconnect is many of these FinTech entities have little bankregulatory experience and may be learning as they develop and deploy their products without the legacyregulatory experience. They may also propose contract terms that expose banks to unnecessary risks. Banks canprotect themselves by performing critical review in all stages of vendor management process, but especially withexperienced legal counsel reviewing the underlying agreement.

We Can Help You

Please contact us if you are considering a new FinTech product or relationship or if you want to discuss how toapproach contract negotiation with a FinTech in light of these issues.

References

● Client Alert: Working with a FinTech? – 5 Things to Know


● Client Alert: Updated Regulatory Risk Management Guidance


● FinTech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters




Client Alert: FinTech Regulatory Update - Bank & FinTech Agreements

www.bfkn.com

Client Alert: Working with a FinTech? –5 Things to Know


Joseph T. Ceithaml

Bill Fay

Robert M. Fleetwood

John E. Freechack

John M. Geiringer

Brent McCauley

Abdul R. Mitha

Stanley F. Orszula

Andrea L. Sill

Karol K. Sparks

Dennis R. Wendte



FinTech

December 4, 2018 - Barack Ferrazzano Client AlertNovelty and the Various Risks

Action Items

Before entering into any FinTech agreements, your bank shouldconsider the following:

● The FinTech entity you are working with

● The agreement with the FinTech

● The law and regulations related to the arrangement

● Your own bank and your FinTech goals and strategy

● The relationship with the FinTech

Financial Technology

We are increasingly helping our bank clients with the negotiation of FinTech(financial technology) agreements. These agreements include, among otherthings, data analytic services, new products such as enhanced customerexperiences and program management agreements where banks act asinsured depository support for various payment systems. Recently, somecommentators have opined that community banks should not enter intoFinTech relationships. Clearly, there are risks involved in these relationshipsthat must be understood and anticipated by the bank, but banks should atleast consider this avenue as boards determine how best to address theirproduct and technology concerns and opportunities in the future.

www.bfkn.com

5 Essential Things To Know

Regardless of the product or service, many banks are examining FinTech offerings as a way to enhance theircustomer’s experience or provide additional non-interest income. Because of their novelty and the various risksinherent with working with a FinTech, any potential FinTech relationship should be approached carefully. We havedeveloped a short list of five of the essential things your bank should know if you are considering an agreement witha FinTech:

● Know the FinTech entity you are working withYour bank should know the FinTech entity you are working with because their reputation could become yourreputation.

● Know the agreement with the FinTechYour bank must understand how the agreement will work in practice, what are the parties’ expectations, and if anyother parties are involved. You also need to be able to clearly explain the agreement to your board and yourexaminer.

● Know the law and regulations related to the arrangementYour bank should understand the various laws and regulations governing the arrangement, especially if it is anovel product or service.

● Know your own bank and your FinTech goals and strategyYour bank should know whether the relationship fits with your bank’s strategy and ability to perform under theagreement.

● Know the relationship with the FinTechYour bank should know how the relationship will work after it commences and be actively involved in monitoring it.Have the ability to openly communicate with the FinTech entity.

New FinTech products, services and arrangements are being developed every day. Some are going to serve yourbank better than others. If your bank considers these five issues when approaching a FinTech relationship, it will helpyour bank make the right decisions for the best possible result.

We Can Help You

Please contact us if you are considering a new FinTech product or relationship or if you want to discuss how toapproach contract negotiations with a FinTech in light of these issues. We have helped banks negotiate agreementswith both early-stage FinTechs and industry-leading FinTechs, among others.

Client Alert: Working with a FinTech? – 5 Things to Know

www.bfkn.com

Client Alert Update: FinTech & BankPartnerships


Joseph T. Ceithaml

Bill Fay

Robert M. Fleetwood

John E. Freechack

John M. Geiringer


Emily N. Henkel

Brent McCauley

Abdul R. Mitha

Stanley F. Orszula

Andrea L. Sill

Karol K. Sparks

Dennis R. Wendte


Cybersecurity & Technology


FinTech

May 2, 2017 - Barack Ferrazzano Client Alert

Action Items

If your bank is considering partnering with a FinTech, evaluate the following:

● Will it fit your bank’s strategic plan?

● How well do you know your FinTech partner?

● Do you understand the deal?

● Will the deal pass regulatory and legal muster?

Recently, the FinTech business model shifted from disrupting banks tocollaborating with them, whether in payment services, e-lending, customerexperience, data analytics, insured depository support, or in other areas.Consequently, our Financial Institutions Group attorneys are working on awide range of partnerships and related agreements between banks andFinTechs. Additionally, our clients and our attorneys are receiving more andmore inquiries from FinTechs wanting to partner with banks. From ourexperiences, and as reiterated at the recent FinXTech annual summit in NewYork City that our attorneys attended, there are four main considerations forpartnering with a FinTech. While partnering with a FinTech can be accretiveto a bank and fit squarely into the bank’s strategic vision, banks shouldconsider the following when evaluating any potential FinTech partnership oragreement:

● Will it fit your bank’s strategic plan?While FinTech partnerships can be very positive for your bank, the firstquestion is to determine whether the partnership fits your bank’s strategicvision and innovation plan.

www.bfkn.com

● How well do you know your FinTech partner?FinTech entities range from early-stage start-ups to more established organizations. Banks need to perform duediligence on their potential FinTech partners to determine if they are an appropriate partner for your bank.

● Do you actually understand all aspects of the arrangement?FinTech agreements are technical by their nature. Bank senior management and their boards should thoroughlyunderstand the scope of services and pricing before entering into a partnership.

● Will the deal pass regulatory and legal muster?FinTechs, by their nature, are technology companies, sometimes bereft of comprehensive bank legal andregulatory experience. Thus the legal and regulatory implications of any partnership should be comprehensivelyanalyzed and vetted.

We Can Help You

Currently, our Financial Institutions Group attorneys are working on a wide range of partnerships and relatedagreements between banks and FinTechs. Please contact us if you are interested in discussing any potential FinTechpartnership opportunities.

Client Alert Update: FinTech & Bank Partnerships

Client Alert: FDIC Publishes Conducting Business with ...

Documents

Transcript of Client Alert: FDIC Publishes Conducting Business with ...